Scribd
Upload
50 views

moxa-the-security-hardening-guide-for-the-Nport-5000-series-tech-note-v1.0

Uploaded by

Freddy R. Garcia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views

moxa-the-security-hardening-guide-for-the-Nport-5000-series-tech-note-v1.0

Uploaded by

Freddy R. Garcia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

The Security Hardening Guide for the NPort 5000 Series

Moxa Technical Support Team


[email protected]

Contents
1. Introduction.................................................................................... 2
2. General System Information ........................................................... 3
2.1. Basic Information About the Device ............................................................ 3
2.2. Deployment of the Device ......................................................................... 4
3. Configuration and Hardening Information ...................................... 4
3.1. TCP/UDP Ports and Recommended Services ................................................. 5
3.2. HTTPS and SSL Certificates ....................................................................... 9
3.3. Account Management ..............................................................................10
3.4. Accessible IP List.....................................................................................12
3.5. Logging and Auditing ...............................................................................13
4. Patching/Upgrades ....................................................................... 15
4.1. Patch Management Plan ...........................................................................15
4.2. Firmware Upgrades .................................................................................15
5. Security Information and Vulnerability Feedback ......................... 16

Copyright © 2021 Moxa Inc. Released on March 26, 2021

About Moxa
Moxa is a leading provider of edge connectivity, industrial computing, and network
infrastructure solutions for enabling connectivity for the Industrial Internet of Things
(IIoT). With over 30 years of industry experience, Moxa has connected more than 57
million devices worldwide and has a distribution and service network that reaches
customers in more than 70 countries. Moxa delivers lasting business value by
empowering industries with reliable networks and sincere service. Information about
Moxa’s solutions is available at www.moxa.com.
How to Contact Moxa
Tel: +886-2-8919-1230
Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

1. Introduction
This document provides guidelines on how to configure and secure the NPort 5000 Series. The
recommended steps in this document should be considered as best practices for security in
most applications. It is highly recommended that you review and test the configurations
thoroughly before implementing them in your production system in order to ensure that your
application is not negatively impacted.

Copyright © 2021 Moxa Inc. Page 2 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

2. General System InformationBasic Information About the


Device
Model Function Operating System Firmware Version

NPort 5000A Series General purpose Moxa Operating Version 1.6


System

NPort 5110 General purpose Moxa Operating Version 2.10


System

NPort 5130/5150 General purpose Moxa Operating Version 3.9


System

NPort 5200 Series General purpose Moxa Operating Version 2.12


System

NPort 5400 Series General purpose Moxa Operating Version 3.14


System

NPort 5600-DT Series General purpose Moxa Operating Version 2.8


System

NPort 5600-DTL Series Entry level Moxa Operating Version 1.6


System

NPort 5600 Series Rackmount Moxa Operating Version 3.10


System

NPort 5000AI-M12 Railway Moxa Operating Version 1.5


Series System

NPort IA5000 Series Industrial automation Moxa Operating Version 1.7


System

NPort IA5000A Series Industrial automation Moxa Operating Version 1.7


System

The NPort 5000 Series is a device server specifically designed to allow industrial
devices to be directly accessible from the network. Thus, legacy devices can be
transformed into Ethernet devices, which then can be monitored and controlled from
any network location or even the Internet. Different configurations and features are
available for specific applications, such as protocol conversion, Real COM drivers, and
TCP operation modes, to name a few.

Moxa Operating System (MOS) is an embedded proprietary operating system, which is


only executed in Moxa edge devices. Because the MOS operating system is not freely
available, the chances of malware attacks are significantly reduced.

Copyright © 2021 Moxa Inc. Page 3 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

2.2. Deployment of the Device


You should deploy the NPort 5000 Series
behind a secure firewall network that has
sufficient security features in place to
ensure that networks are safe from
internal and external threats.

Make sure that the physical protection of


the MGate devices and/or the system
meets the security needs of your
application. Depending on the
environment and the threat situation, the
form of protection can vary significantly.

3. Configuration and Hardening Information


For security reasons, account and password protection is enabled by default, so you must
provide the correct account and password to unlock the device before entering the web
console of the gateway.

The default account and password are admin and moxa (both in lowercase letters),
respectively. Once you are successfully logged in, a pop-up notification will appear to remind
you to change the password in order to ensure a higher level of security.

Copyright © 2021 Moxa Inc. Page 4 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

3.1. TCP/UDP Ports and Recommended Services


Refer to the table below for all the ports, protocols, and services that are used to
communicate between the NPort 5000 Series and other devices.

Default
Service Name Option Type Port Number Remark & Description
Setting

Moxa Command TCP 14900, 4900 For Moxa utility


Enable/Disable Enable
(DSCI) UDP 4800 communication

Processing DNS and WINS


DNS_wins Enable Enable UDP 53, 137, 949
(Client) data

SNMP agent Enable/Disable Enable UDP 161 SNMP handling routine


HTTP server Enable/Disable Enable TCP 80 Web console
HTTPS server Enable/Disable Enable TCP 443 Secured web console

Telnet server Enable/Disable Disable TCP 23 Telnet console

The DHCP client needs to


DHCP client Enable/Disable Disable UDP 68 acquire the system IP
address from the server

Synchronize time settings


with a time server
This function is not
SNTP Enable/Disable Disable UDP Random Port
available for the NPort
5100/5100A/5200/
5200A Series.

Remote System Send the event log to a


Enable/Disable Disable UDP Random Port
Log remote log server

Default Remark &


Operation Mode Option Type Port Number
Setting Description
950+ (Serial port No. -
1)
Real COM Mode Enable/Disable Enable TCP
966+ (Serial port No. -
1)

User-defined (default: Only available in


RFC2217 Mode Enable/Disable Disable TCP
4000+Serial port No.) certain models
User-defined (default:
4000+Serial port No.)
TCP Server Mode Enable/Disable Disable TCP
User-defined (default:
966+Serial port No.)

Copyright © 2021 Moxa Inc. Page 5 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

Default Remark &


Operation Mode Option Type Port Number
Setting Description

User-defined (default:
UDP Mode Enable/Disable Disable UDP
4000+Serial port No.)
Pair Connection User-defined (default: Only available in
Enable/Disable Disable TCP
Master Mode 4000+Serial port No.) certain models

Pair Connection User-defined (default: Only available in


Enable/Disable Disable TCP
Slave Mode 4000+Serial port No.) certain models

Ethernet Modem User-defined (default:


Enable/Disable Disable TCP
Mode 4000+Serial port No.)
Reverse Telnet User-defined (default:
Enable/Disable Disable TCP
Mode 4000+Serial port No.)

Disabled Mode Enable/Disable Disable N/A N/A

For security reasons, you should consider disabling unused services. After initial setup,
use services with stronger security for data communication. Refer to the table below for
the suggested settings.

Suggested
Service Name Type Port Number Security Remark
Setting

Moxa Command TCP 14900, 4900 Disable this service as it is not commonly
Disable
(DSCI) UDP 4800 used

A necessary service to get IP; cannot be


DNS_wins Enable UDP 53, 137, 949
disabled

Suggest to manage NPort via HTTPS


SNMP Disable UDP 161
console

Disable HTTP to prevent plain text


HTTP Server Disable TCP 80
transmission

Encrypted data channel with trusted


HTTPS Server Enable TCP 443
certificate for NPort configuration

Disable this service as it is not commonly


Telnet Server Disable TCP 23
used

Assign an IP address manually for the


DHCP Client Disable UDP 67, 68
device

Suggest to use the SNTP server for


SNTP Client Disable UDP Random Port
secure time synchronization

Suggest using a system log server to


Remote System
Enable UDP Random Port store all the logs from all the devices in
Log
the network

Copyright © 2021 Moxa Inc. Page 6 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

For console services, we recommend the following:

HTTP Disable

HTTPS Enable

Telnet Disable

Moxa Command Disable

To enable or disable these services, log in to the HTTP/HTTPS console and select Basic
Settings  Console Settings.

For the SNMP agent service, log in to the HTTP/HTTPS console and select
Administration  SNMP Agent, select Disable for SNMP, and select Disable for the
SNMP agent service.

Copyright © 2021 Moxa Inc. Page 7 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

To disable the SNTP service server, log in to the HTTP/HTTPS/SSH/Telnet console and
select Basic Settings, and keep the Time server setting empty. This will disable the
SNTP service. Then, keep the Time server empty as Disable for the SNTP Server.

For the remote system log server, it depends on your network architecture. We
recommend your network administrator to have a Log Server to receive the log
messages from the device. In this case, log in to the HTTP/HTTPS/SSH/Telnet console,
select Remote Log Server, and input the IP address of the Log Server in the SYSLOG
server field. If your network doesn't have one, keep it empty (disable Remote
System Log Server).

For the operation mode services, it depends on how you bring your serial device to the
Ethernet network. For example, if your host PC uses a legacy software to open a COM
port to communicate with the serial device, then the NPort will enable the Real COM
mode for this application. If you don't want the NPort to provide such a service, log in
to the HTTP/HTTPS/SSH/Telnet console, select Serial Port Settings  Port # 
Operation Modes, and then select Disable.

Note: For each instruction above, click the Submit button to save your changes, then restart
the NPort device so the new settings will take effect.

Copyright © 2021 Moxa Inc. Page 8 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

3.2. HTTPS and SSL Certificates


HTTPS is an encrypted communication
channel. As TLS v1.1 or lower has severe
vulnerabilities that can easily be hacked,
the NPort 5000 Series uses TLS v1.2 for
HTTPS to ensure data transmissions are
secured. Make sure your browser has TLS
v1.2 enabled.

Copyright © 2021 Moxa Inc. Page 9 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

3.3. Account Management


• The NPort 5000 Series provides two different user levels, Read Write (admin) and
Read Only (user). With a Read Write account, you can access and modify all settings
through the web console. With a Read Only account, you can only view settings.

• The default Read Write account is admin, with the default password moxa. To
manage accounts, log in to the web console and select Administration  Account
Management  User Account.

• To add a new account, click Add in the top toolbar, then enter the Account Name,
Password, Confirm Password, and select a User Level.

• To modify an existing account, click on the account name and select Edit in the top
toolbar.

• To delete an account, click on the account name and select Delete in the top
toolbar.

• After making any changes, click Save/Restart in the top toolbar.

Copyright © 2021 Moxa Inc. Page 10 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

Note: We suggest you manage your device with another “administrator level” account instead of
using the default “admin” account, as it is commonly used by embedded systems. Once
the new administrator level account has been created, it is suggested that the original
“admin” account should be monitored for security reasons to prevent brute-force attacks.

• To improve security, the login password policy and account login failure lockout can
be configured. To configure them, log in to the HTTP/HTTPS console and select
Administration  Account Management  Password & Login Policy.

• You should adjust the password policy to require more complex passwords. For
example, set the Minimum length to 16, enable all password complexity strength
checks, and enable the Password lifetime options. Also, to avoid brute-force
attack, it’s suggested that you enable the Account login failure lockout feature.

• For some system security requirements, a warning message may need to be


displayed to all users attempting to log in to the device. To add a login message, log
in to the HTTP/HTTPS console and select Administration  Account
Management  Notification Message, and enter a Login Message to use.

Copyright © 2021 Moxa Inc. Page 11 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

3.4. Accessible IP List


• The NPort 5000 Series has a feature that can limit access to specific remote host IP
addresses to prevent unauthorized access. If a host’s IP address is in the accessible
IP table, then the host will be allowed to access the NPort 5000 series. To configure
it, log in to the HTTP/HTTPS console and select Accessible IP List.

• You may add a specific address or range of addresses by using a combination of an


IP address and a netmask as follows:

− To allow access to a specific IP address: Enter the IP address in the


corresponding field, then 255.255.255.255 for the netmask.

Copyright © 2021 Moxa Inc. Page 12 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

− To allow access to a specific IP address: Enter the IP address in the


corresponding field, then 255.255.255.255 for the netmask.
− To allow access to hosts on a specific subnet: For both the IP address and
netmask, use 0 for the last digit (e.g., “192.168.1.0” and “255.255.255.0”).
− To allow access to all IP addresses: Make sure that the Enable checkbox for
the Accessible IP List is not checked.
Additional configuration examples are shown in the following table:

Desired IP Range IP Address Field Netmask Field

Any host Disable Enable


192.168.1.120 192.168.1.120 255.255.255.255

192.168.1.1 to 192.168.1.254 192.168.1.0 255.255.255.0

192.168.1.1 to 192.168.255.254 192.168.0.0 255.255.0.0

192.168.1.1 to 192.168.1.126 192.168.1.0 255.255.255.128


192.168.1.129 to 192.168.1.254 192.168.1.128 255.255.255.128

Ensure that the IP address of the PC you are using to access the web console is in the
Accessible IP List.
Warning

3.5. Logging and Auditing


• These are the events that will be recorded by the NPort 5000 Series:

Event Group Summary


System System cold start, system warm start

DHCP/BOOTP gets IP/renew, NTP connect failed, IP conflict, Network link


Network
down

Login failed, IP changed, Password changed, Firmware upgraded, Certificate


Configuration imported, Configuration imported or exported, Configuration changed, Clear
event logged

OpMode Connect, Disconnect

• To configure this setting, log in to the HTTP/HTTPS console and select System Log
Settings. Then, enable the Local Log for recording on the NPort 5000 device
and/or Remote Log for keeping records on a server. You should enable system log
settings to record all important system events in order to monitor device status and
check for security issues.

Copyright © 2021 Moxa Inc. Page 13 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

• To view events in the system log, log in to the HTTP/HTTPS console and select
Monitor  System Log.

Copyright © 2021 Moxa Inc. Page 14 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

4. Patching/Upgrades

4.1. Patch Management Plan


With regards to patch management, Moxa releases version enhancements annually
with detailed release notes.

4.2. Firmware Upgrades


The process for upgrading firmware is as follows:

• Download the latest firmware for your MGate device from the Moxa website:

NPort Series URL


https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5100A
device-servers/general-device-servers/nport-5100a-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5100
device-servers/general-device-servers/nport-5100-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5200A
device-servers/general-device-servers/nport-5200a-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5200
device-servers/general-device-servers/nport-5200-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5400
device-servers/general-device-servers/nport-5400-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5600
device-servers/general-device-servers/nport-5600-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5600-DT
device-servers/general-device-servers/nport-5600-dt-series#resources

https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5600-DTL
device-servers/general-device-servers/nport-5600-dtl-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
IA5000A
device-servers/industrial-device-servers/nport-ia5000a-series#resources
https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
IA5000
device-servers/industrial-device-servers/nport-ia5000-series#resources

https://www.moxa.com/en/products/industrial-edge-connectivity/serial-
5000AI-M12
device-servers/general-device-servers/nport-5000ai-m12-series#resources

Copyright © 2021 Moxa Inc. Page 15 of 16


Moxa Tech Note The Security Hardening Guide for the NPort 5000
Series

• Log in to the HTTPS console and select System Management  Maintenance 


Firmware Upgrade. Click the Choose File button to select the proper firmware
and click Submit to upgrade the firmware.

• If you want to upgrade the firmware for multiple units, download the Device Search
Utility (DSU) or MXconfig for a GUI interface, or the Moxa CLI Configuration Tool for
a CLI interface.

5. Security Information and Vulnerability Feedback


As the adoption of the Industrial IoT (IIoT) continues to grow rapidly, security has become
one of the top priorities. The Moxa Cyber Security Response Team (CSRT) is taking a proactive
approach to protect our products from security vulnerabilities and help our customers better
manage security risks.

You can find the latest Moxa security information here:


https://www.moxa.com/en/support/product-support/security-advisory

Copyright © 2021 Moxa Inc. Page 16 of 16

You might also like